breach notification laws: notification requirements and data safeguarding … · 2016-09-20 ·...

Breach Notification Laws: NotificationRequirements and Data Safeguarding Now

Apply to Everyone, Including Entrepreneurs

SAMUEL LEE*

To start a business in an information-driven economy, abusiness must prepare itself to gather and store its clientsand customers' personal information-social securitynumbers, driver's license numbers, account numbers-so itcan provide efficient, narrowly tailored services and gainor maintain a winning advantage in an increasinglycrowded domestic and international marketplace. Asinformation is continually being gathered and retained,consumer concern regarding identity theft and overallpersonal privacy amplifies, and this concern has become acatalyst for the creation of numerous consumer protectionlaws, federal privacy laws, state privacy laws, and now,breach notification laws. The states have responded with amyriad of state laws with different notification triggers anddifferent standards of notification, and the federalgovernment is prepared to establish a federal breachnotification standard of its own. This note will examinecurrent state breach notification laws and a number ofproposed federal breach notification bills, and assess howthe laws affect a business' compliance strategy.

I. INTRODUCTION

To start a business in an information-driven economy, a start-upmust prepare itself to gather and store its clients and customers' personalinformation-Social Security numbers, driver's license numbers, accountnumbers-so it can provide efficient, narrowly tailored services and gain awinning advantage in an increasingly crowded domestic and internationalmarketplace. An array of businesses and organizations gather and storecustomers' sensitive, personal information for business use and datawarehousing. Financial institutions and insurance companies gather themost private of financial information when customers open accounts andpurchase various insurance policies. Educational institutions keep lengthypersonal records of thousands of students, faculty, and employees. Grocery

. J.D., The Ohio State University Moritz College of Law, expected 2007. I'd like tothank Kirk Herath for all his help and guidance.

126 ENTREPRENEURIAL BUSINESS LAW [Vol. 1:125JOURNAL

stores create databases tracking consumer shopping habits that are instantlyretrievable with the swipe of a keychain bonus card. As information iscontinually being gathered and retained, consumer concern regardingidentity theft1 and overall personal privacy heightens. The concern hasbecome a catalyst for the creation of numerous consumer protection laws,federal and state privacy laws, and now, state breach notification laws.

Businesses within the banking and insurance industries and otherlarge businesses have already responded to security breaches, consumerbacklash, and current governmental regulation by implementingtechnological safeguards and servicing customers' complaints. But what dostartup businesses need to do to comply? How do these breach notificationlaws affect their bottom-line? Compliance has been a way of life for manycorporate governance boards and small business owners, and forentrepreneurs to ensure their business practices comply with state andfederal privacy laws they should integrate compliance strategies into theirinitial business plans, instead of waiting until a problem arises. Startupsneed to be appraised of the law, consider their business, and then decidewhat needs to be done to ensure legal compliance and financial success.

This Note will examine current state breach notification laws and anumber of proposed federal breach notification bills and assess how thelaws affect a business' compliance strategy. Section II will go into detailabout recent history of high profile security breaches. Section III willdiscuss the various state laws that currently exist and examine theirsimilarities and differences. Section IV will analyze competing federal billsand discuss a potential federal law's effect on businesses. Finally, SectionV will discuss how start-up businesses can begin to think about complyingwith these laws, while preserving their entrepreneurial ambitions.

In 2005, the Federal Trade Commission (FTC) advised the Senate CommerceCommittee that its 2003 survey revealed that 10 million consumers were victims ofidentity theft, which lead to business losses of $48 billion and countless hoursremedying consumer records. Data Security Breaches What You Need to Know Now,Goodwin Procter LLP, MONDAQ BUSINESS BRIEFING, Oct. 4, 2005, at 14, available athttp://www.mondaq.com/article.asp?articleid-35220. In 2004, approximately thirty-nine percent of fraud complaints to the FTC were related to identity theft, which was anincrease of nineteen percent over 2003 and sixty-one percent over 2002. Zach Patton,Stolen Identities, GOVERNING MAG., Aug. 2005, at 39, available athttp://www.governing.com/articles/8ident.htm. When a company's records arebreached, the breach does not necessarily lead to identity theft or even presentconsumers with an immediate threat to their privacy, but consumer trust is rattled.According to a survey sponsored by the Ponemon Institute, a privacy think-tank,nineteen percent of Americans notified of a security breach are planning to terminate orhave terminated their relationship with the affected company. Robert L. Raskopf andDavid Bender, New Survey, Litigation Highlight Importance of Privacy Practices, 234N.Y. L.J. 63, Sept. 29, 2005, at 5 available at http://www.whitecase.com/publications/detail.aspx?publication-23. Another forty percent are considering switchingcompanies, and another fifty-eight percent said their trust and confidence in thecompany has decreased. Id

BREACH NOTIFICATION LA WS

II. HISTORY AND CURRENT CLIMATE

Breach notification laws are not the first laws to attempt to regulatedata protection and breach notifications. The Health Information Portabilityand Accountability Act gave the Department of Health and Human Servicesthe ability to regulate the use and dissemination of information related tohealth care and "health plans, health care clearinghouses, and certain healthcare providers.,,2 The Gramm-Leach-Bliley Act ("GLBA"), in existencesince 1999, was designed to promote and enforce safeguarding guidelinesand data privacy standards in the institutional financial sector, whichincludes a set of customer notification requirements for financial orinsurance companies governed by federal law.4 The Interagency Guidanceon Response Programs for Unauthorized Access to Customer Informationand Customer Notice mandates that customer notification under GLBAoccur when there is an unauthorized access of sensitive customerinformation and there is a likelihood that the information will be misused.5

GLBA and analogous state privacy laws do not cover all businesses, butstate breach notification laws have expanded these kinds of notificationrequirements to a broader and more general range of agencies andbusinesses. The media attention around many high-profile data breachesdid not start the privacy and notification conversation, but it did help raiseconsciousness of the rising concern involving data safeguarding and dataprivacy. A look into some of the more high-profile breaches and variousresponses by state and federal agencies provides the context for the rush ofbreach notification bills and laws enacted in 2005.

A. Security Breaches

High profile security breaches at companies like ChoicePoint, Bankof America, LexisNexis, 6 University of California,' and Designer Shoe

2 James P. Nehf, Incomparability and the Passive Virtues ofAd Hoc Privacy Policy. 76U. COLO. L. REV. 1, 10-11 (2005).3 For the purposes of this Note there is a distinction between data safeguarding and dataprivacy. Safeguarding refers to issues of protection and security of personal data.Privacy rules dictate the collection, dissemination, notification, and other uses ofpersonal data.4 See Edward J. Janger & Paul M. Schwartz, Modern Studies in Privacy Law: Notice,Autonomy and Enforcement of Data Privacy Legislation: The Gramm-Leach-Bliley Act,Information Privacy, and the Limits of Default Rules, 86 MINN. L. REV. 1219, 1224(2002).5 Federal Reserve Board, Interagency Guidelines Establishing Information SecurityStandards Small-Entity Compliance Guide, 11 (2005), available athttp://www.federalreserve.gov/BoardDocs/Press/bcreg/2005/20051214/attachment.pdf.6 LexisNexis notified 32,000 persons on March 10, 2005, that their sensitive personalinformation was exposed. The Privacy Rights Clearinghouse, A Chronology of DataBreaches Reported Since the ChoicePoint Incident, http://www.privacyrights.org/ar/

2006]


Warehouse ("DSW") occurred in 2004 and 2005, the most notorious beingthe high-profile security breach at ChoicePoint. In February 2005,ChoicePoint, a data management broker based in Alpharetta, Georgia,publicly notified approximately 145,000 customers that thieves posing aspotential small business customers had compromised their personalinformation in September 2004.8 By November 2005, ChoicePoint hadnotified an additional 17,000 customers of breaches. 9 As of July 2005,ChoicePoint had spent $11.4 million remedying the security breach and it isexpected that they will sacrifice $15 to $20 million in sales to overhaul theirbusiness to prevent future breaches.' 0

Shortly after the ChoicePoint announcement, Bank of America, oneof the nation's largest banks, reported it had lost backup tapes thatcontained information of 1.2 million accounts that consisted of SocialSecurity numbers and account information." In April 2005, online brokerAmeritrade disclosed that it had also lost backup tapes and notified 200,000past and current customers of its loss.' 2

In June 2005, CardSystems, a transaction processing company thatdoes business with credit card companies including Visa and Mastercard,announced that almost 40 million customer accounts were exposed during abreach. 13 The effects of this breach reached all the way to Japan, where areported $1 million of fraudulent charges were made that were directlylinked to the security breach earlier that month at CardSystems.14

As of February 2006, the Privacy Rights Clearinghouse, aconsumer advocacy group in San Diego, has reported that since theChoicePoint announcement almost 55 million customer accounts,containing sensitive information, spanning at least 80 different occurrencesin a plethora of organizations, have been compromised. Most of those

ChronDataBreaches.htm (last visited Feb. 28, 2006).7 The University of California notified 98,400 persons on March 11, 2005, that theirsensitive personal information was exposed. The Privacy Rights Clearinghouse, supranote 6.8 Associated Press, 17, 000 More Warned in ChoicePoint Breach, Nov. 9, 2005,http://www.msnbc.msn.com/id/9978812/from/RL. / (last visited Feb. 15, 2006).91d.10 Joris Evers, Break-in Costs ChoicePoint Millions, CNET News.com, July 20, 2005,http://news.com.com/Break-in+costs+ChoicePoint+millions/2100-7350 3-5797213.html (last visited Feb. 15, 2006).11 Associated Press, Bank ofAmerica Loses Customer Data, Mar. 1, 2005,http://www.msnbc.msn.com/id/7032779/.12 Bob Sullivan, Ameritrade Warns 200,000 Clients of Lost Data, April 19, 2005,http://www.msnbc.msn.com/id/7561268/ (last visited Feb. 15, 2006).

Steven Marlin, Banks Scramble To Contain Damage From CardSystems HackingIncident, INFORMATIONWEEK, June 22, 2005, http://informationweek.com/story/showArticle.jhtml?articlelD 164901831 (last visited Feb. 15, 2006).14 Peralte C. Paul Fraud in Japan Tied to Data Breach; Atlanta-based Card ProcessBlamed, THE ATLANTA JOURNAL-CONSTITUTION, June 23, 2005, at 1E.


breaches were linked to dishonest insiders, computer hacking, or stolenlaptops and computers. 5

B. State and Federal Agency Response

State and federal agencies imposed civil fines on businesses for laxdata security long before breach notification laws existed.' 6 Enforcementhas come from the Federal Trade Commission ("FTC") under the FederalTrade Commission Act or states' attorneys general under unfair anddeceptive trade practices statutes.17 In June 2005, BJ's Wholesale Clubagreed to settle charges by the FTC related to its failure to maintainappropriate security measures to protect sensitive personal information ofits customers.8 Using the Federal Trade Commission Act, the FTCclaimed that BJ's lax security led to unauthorized access of customerinformation, which led to "millions of dollars of fraudulent purchases."1 9

The settlement required an overhaul of BJ's information security program20and third party auditing every other year for twenty years.

In April 2004, New York State Attorney General Eliot Spitzerannounced an agreement with BarnesandNoble.com to correct an Internetsecurity breach and a flaw in its system that led to an exposure ofcustomers' personal information. 21 The agreement required a securityprogram, employee training, external auditing, compliance reports, and a$60,000 fine 2

In Ohio, Attorney General Jim Petro brought suit against localretailer Designer Shoe Warehouse ("DSW") demanding that it individuallynotify each customer whose private information was exposed due to stolencomputer files.23 The stolen data included DSW "customers' names, creditcard numbers, debit card numbers, checking account numbers, and driver'slicense numbers. 24

15 See Privacy Rights Clearinghouse, supra note 6.16 Most of the charges revolved around state and federal security and privacy laws, not

breach notification laws.17 See Press Release, Federal Trade Commission, BJ's Wholesale Club Settles FTC

Charges (June 16, 2005), available at http://www.ftc.gov/opa/2005/06/bjswholesale.htm (last visited Feb. 15, 2006); Press Release, Off. of N.Y. St. Att'y Gen.Off. Eliot Spitzer, Attorney General Reaches Agreement with Barnes and Noble onPrivacy and Security Standards (Apr. 29, 2004), available athttp://ww.oag.state.ny.us/press/2004/apr/apr29a 04.html (last visited Feb. 15, 2006).18 See Press Release, Federal Trade Commission, supra note 17.19 Id.20 id.21 Press Release, Off. of N.Y. St. Att'y Gen. Off. Eliot Spitzer, supra note 17.22 id.23 Ohio Sues DSW Over Customer Data Theft, Consumeraffairs.com, June 7, 2005,

http://www.consumeraffairs.com/news04/2005/ohio dsw.html (last visited Feb. 15,2006).24 id.

2006]


In early 2006, the FTC imposed a $10 million civil fine onChoicePoint for its security breach, and an additional $5 million settlementthat will be used to create a trust fund to help the victims of the data theft.25

The charge was based on ChoicePoint's failure to comply with dataprotection requirements promulgated by the Fair Credit Reporting Act andthat ChoicePoint had made false and misleading statements regarding itsdata privacy policies.26

In February 2006, CardSystems and its successor SolidusNetworks, Inc., doing business as Pay By Touch Solutions, agreed to settleFTC charges. 27 The settlement will require CardSystems and Pay By Touchto implement a comprehensive security program and obtain auditing everyother year for twenty years.2 The CardSystems breach lead to the exposureof tens of millions of customers' personal information. 9

State attorneys general and the FTC have been using data privacylaws to attack companies that do not safely protect individuals' personalinformation, but now, state legislatures have responded to these securitybreaches by passing or introducing breach notification laws that requirecompanies to disclose breaches that meet the state requirements fordisclosure.

III. STATE BREACH NOTIFICATION LAWS

As of January 2006, at least twenty-three states 3° have introduced orpassed breach notification laws, affecting companies who do business in

31those states. Most state laws mirror California's law, with some evenadopting California's statutory language verbatim. Others have divergedfrom the pivotal predecessor by adding and subtracting language; thus,narrowing or broadening the ambit of the law's ability to require an

25 Jaikumar Vijayan, FTC Makes a Point With ChoicePoint Penalties; Hits Firm withLargest Civil Fine Ever in Data Breach Case, COMPUTERWORLD, Jan. 30, 2006,http://www.computerworld.com/managementtopics/ebusiness/story/0, 10801,108173,00.html?source-x52 (last visited Feb. 15, 2006).26 Id.27 Press Release, Federal Trade Commission, CardSystems Solutions Settles FTCCharges (Feb. 23, 2006), available at http://www.ftc.gov/opa/2006/02/cardsystems r.htm (last visited Mar. 1, 2006).28 Id.29 id.30 As of January 2006, the following states have passed breach notification laws:

Arkansas, California, Connecticut, Delaware, Florida, Georgia, Illinois, Indiana,Louisiana, Maine, Minnesota, Montana, Nevada, New Jersey, New York, NorthCarolina, North Dakota, Ohio, Pennsylvania, Rhode Island, Tennessee, Texas, andWashington. The State PIRG, State PIRG Summary of State Security Freeze andSecurity Breach Notification Laws, http://www.pirg.org/consumer/credit/statelaws.htm(last visited Feb. 14, 2006).31 ,,


organization to notify affected customers. To determine how breachnotification laws affect a business, most state laws can be evaluated by fourcharacteristics: (1) what are the "triggers" to notification, (2) what is theappropriate mode and method of notification, (3) is notification to outsideregulators and agencies required, and (4) what safe harbors exist. Thesegeneral categories will dictate much of the costs involved with complianceand provide a template by which each state law can be evaluated andcompared. California's breach notification law has been the mostinfluential, and many states have followed its example. It is important todiscuss its merits first to provide a frame of reference to view the other statelaws, and later to view proposed federal bills. After a discussion ofCalifornia's law, a sample of other effectuated state laws will display thevariations of current breach notification laws.

A. California (SB 1386)

Many state notification laws resemble California's Senate Bill1386. Enacted in 2003, the passage of SB 1386 came after another high-profile security breach32 at the Stephen P. Teale Data Center.33 The breachled to the exposure of the personal information of 265,000 state employees,including 120 legislators, and the two month notification delay infuriatedmany senators and assembly members.34 With a unanimous vote, the billpassed and entered the national scene when ChoicePoint, a Georgiacorporation, and other companies responded to the California law andpublicly notified customers of security breaches.

The purpose behind SB 1386 was to limit the effects of privacy andfinancial security breaches created by the "widespread collection ofpersonal information by both the public and private sector., 35 Specifically,the Act is designed to fight the growing crime of identity theft and other

36crimes using personal information as source material. The language of thelaw reads:

Any agency that owns or licenses computerized data thatincludes personal information shall disclose any breachof the security of the system following discovery ornotification of the breach in the security of the data toany resident of California whose unencrypted personalinformation was, or is reasonably believed to have been,

32 It is mildly ironic that such a significant breach that prompted the creation of such alaw occurred at a state agency and not a corporation.33 Deb Kollars, U.S. Follows State's Lead on Data-Theft Notification, SACRAMENTO

BEE, June 22, 2005, at A 1.34 id.35 S.B. 1386, Chapter 915, 2001-02 Reg. Sess. (Cal. 2002).36 ,,

2006]


acquired by an unauthorized person. The disclosure shallbe made in the most expedient time possible and withoutunreasonable delay....37

The "trigger" based on the statutory language in California law iscomprised of several different elements that combine to create a minimumthreshold to notification. Once the different requirements of the trigger aremet, then a company or organization is required to notify affectedindividuals. The first element California requires is an actual occurrence orreasonable belief that an unauthorized acquisition has occurred. 3 Thisreasonable belief standard is broad, and requires notification after anysecurity breach, but the California privacy office narrows the definition of"acquisition" to mean physical possession and control of personalinformation, downloading, or possession of information used in someillegal manner such as opening fraudulent accounts or executing identifytheft.39 While California's privacy office's definition is not law, it ispersuasive. California further limits the kind of information the lawprotects to personal information that is computerized.40

Protected "personal information" is defined as an "individual's firstname or first initial and last name in combination with . . . [a] SocialSecurity number, driver's license number or California identification cardnumber, or account number, credit or debit card number in combinationwith any required security code, access code, or password that would permitaccess to an individual's financial account. The law notes that a breachhas not occurred if an employee or agent accesses personal informationwithin their scope of employment or agency as long as good faithrequirements are met and no additional unauthorized information isdisclosed.42

California law allows for a variety of methods of notification."Notice" may be provided as written notice, electronic notice, and ifrelevant, substitute notice which includes email notice, conspicuous postingof the notice on the agency's web site page, or notification to majorstatewide media.4 3 Substitute notification is permitted when the cost ofnotification exceeds $250,000, there are 500,000 affected individuals, or theperson does not have enough contact information to provide written or

37 CAL. CIVIL CODE § 1798.29(a) (Deering 2005).3 8d.

39 Office of Privacy Protection, Recommended Practices on Notification of SecurityBreach Involving Personal Information, http://www.privacyprotection.ca.gov/recommendations/secbreach.pdf (last visited Feb. 15, 2006).40 § 1798.29(a).41 CAL. CIVIL CODE § 1798.29(e) (Deering 2005).42 CAL. CIVIL CODE § 1798.29(d) (Deering 2005).4, CAL. CIVIL CODE § 1798.29(g) (Deering 2005).


electronic notice.44 Notification needs to be expedient, and should be donewithin ten days of the breach.4 5

One significant safe harbor exists under SB 1386. California lawhas provided that notification is not required if personal information isencrypted. Therefore, organizations that encrypt their personal informationdo not fall under the breach notification requirement.4 6

California's trigger elements are one of the broadest state triggers tonotification. Essentially, California requires a company or organization tonotify customers whenever there is a reasonable belief a breach hasoccurred. The more narrowed definition of acquisition constrains the law'sscope, but the law is still broader than those of other states that have chosento require notification only after some kind of risk of harm assessment.

California's law has been pivotal and because many companies dobusiness with California residents, most companies have made steps tooverhaul their security programs and notification methods to comply withCalifornia law. California's SB 1386 is by no means perfectly constructedand various attempts have been made to amend the law to remove some ofthe exemptions the statute has created. 4

' As debate rages on whether anational federal standard should exist, other states have responded in similarand dissimilar ways to California.

B. Other State Notification Laws

In 2005, at least 35 states have enacted or introduced their ownversion of breach notification laws.48 Most states follow the Californiatemplate, but some states like Arkansas, Delaware, and New York havecreated laws with different notification trigger levels, notification methodsand specificity requirements, outside reporting requirements, and safeharbors.

1. Arkansas (SB 1167)

Under Arkansas law, before notification is required there must be areasonable belief that an unauthorized person has acquired computerized,unencrypted personal information.49 This is almost identical to California'sstandard. But, unlike California law, Arkansas law provides that

44 CAL. CIVIL CODE § 1798.29(g)(3) (Deering 2005).45 Office of Privacy Protection, supra note 39.46 CAL. CIVIL CODE § 1798.29(a) (Deering 2005).47 See Thomas Claburn, Lav Requires ChoicePoint To Disclose Fraud,INFORMATIONWEEK, Feb. 17, 2005, http://www.informationweek.com/showArticle.jhtml?articlelD-60401882 (last visited Feb. 15, 2006) (stating that SenatorDebra Bowen attempted to amend California law to extend to all forms of data, not justcomputerized, but was voted down).4' The State PIRG, supra note 31.49 ARK. CODE ANN. § 4-110-105(a) (Lexis 2005).

2006]


"notification under this section is not required if, after a reasonableinvestigation, the person or business determines that there is no reasonablelikelihood of harm to customers. 50 This exemption does not exist inCalifornia law. This exemption creates a narrower trigger to notificationthan California's trigger. A business is not required to notify Arkansasresidents of security breaches if the business can prove there is noreasonable likelihood that harm will result. Under California law, mostbreaches, even those that may not reasonably lead to harm to the customer,need to be reported to the public. Arkansas also expanded its definition of"personal information" to include a person's name in combination withmedical information. 51

2. Delaware (H-B 116)

Delaware, like Arkansas, has narrowed its notification trigger,52 butunlike Arkansas, Delaware requires businesses and individuals to "conductin good faith a reasonable and prompt investigation to determine thelikelihood that personal information has been or will be misused., 53 Noticeis required once an investigation shows that information has been or isreasonably likely to be misused.54 Yet Delaware has gone one step furtherthan Arkansas. Arkansas allows businesses and organizations to investigatea security breach and assess the reasonableness of resulting harm to itscustomers if it does not want to notify.55 Because Delaware did not includeits investigation requirement as an exemption to notification, a company

56appears to be required to do a good faith investigation. Mandatoryinvestigations incur additional costs and businesses that want to opt-out of abelaboring investigation no longer have this option.

Delaware also differs from most other states by not including theword "encryption" in its statutory language. This exclusion is significant,because the potential safe harbor created by states like California with theencryption language does not exist in Delaware.

Delaware expands its permitted notification methods to allowtelephonic notification. Substitute notification is permitted if notice costsexceed $75,000; there are more than 100,000 affected customers; or theindividual does not have enough contact information to provide written,telephonic, or electronic notice.57

50 ARK. CODE ANN. § 4-110-105(d) (Lexis 2005) (emphasis added).5 ARK. CODE ANN. § 4-110-103 (7)(D) (Lexis 2005).52 See DEL. CODE ANN. tit. 6, § 12B- 102(a) (Lexis 2005).53 id.54 id.

55 See ARK. CODE ANN. § 4-110-105(d) (Lexis 2005).56 See DEL. CODE ANN. tit. 6, § 12B- 102(a) (Lexis 2005).57 DEL. CODE ANN. tit. 6, §12B-101(3) (Lexis 2005).


Delaware does not have a private right of action, but allows thestate attorney general to bring actions for violations of the statute.58

3. New York (AB 4254/SB 5827)

New York's notification law is virtually identical to California'slaw, but it goes further and adds specificity where California's law doesnot. California law does not codify its definition of acquisition, but leavesits meaning to the office of privacy as a recommended best practice. Somefactors New York says a business may consider in determining whetherinformation has been acquired by an unauthorized person include physicalpossession and control, such as a stolen computer or device; downloadingor copying; or unauthorized usage of the information, such as the openingof fraudulent accounts or identify theft.59

New York asks for more detail in a company disclosed notificationthan California. A notification under New York law should have thecontact information for the person making the notification and list thecategories of information that were affected, including elements ofinformation that have been or are reasonably believed to have beenacquired 6

New York law, unlike most state laws, has codified outsidereporting requirements when a breach has occurred. If 5,000 New Yorkresidents are notified at a single time, New York law requires additionalnotification to consumer reporting agencies of the timing, content, anddistribution of the notices and approximate number of affected persons.6 1

Also, when a business or person is required to notify a resident, they mustgive notice to the state attorney general, the consumer protection board, andthe state Office of Cyber Security and Critical Infrastructure Coordinationof the timing, distribution, and content of the notice and the approximatenumber of affected individuals.62

States have responded to concerns over identity theft and protectionof personal information by enacting breach notification laws, which requirebusinesses and organizations to notify customers in the event their personalinformation is acquired by an unauthorized person. Most states havemirrored California's influential law, but there are competing state statutesthat differ from California's standards. States like Delaware have createdlaws that, on their surface, call for less notification than California. Otherstates like New York make the notification process expensive and laboriousby requiring outside reporting along with regular notification. California'slaw still stands as the most influential, but as the idea of a uniform federal

58 DEL. CODE ANN. tit. 6, §12B-104 (Lexis 2005).59 N.Y. GEN. Bus. LAW § 899-aa(1)(c) (McKinney 2005).60 N.Y. GEN. Bus. LAW § 899-aa(7) (McKinney 2005).61 N.Y. GEN. Bus. LAW § 899-aa(8)(b) (McKinney 2005).

62 N.Y. GEN. Bus. LAW § 899-aa(8)(a) (McKinney 2005).

2006]


law to govern breach notifications comes closer to realization, it will be acompelling question as to which state law, if any, the federal law willattempt to emulate.

IV. FEDERAL RESPONSE

At the close of 2005, there were at least seven63 House and Senatecommittees working on federal legislation directly addressing whatorganizations should do when individuals' personal and private data has

64been illegally accessed. The likelihood of federal legislation has increasednow that at least twenty-three state legislatures have passed their ownversions of breach notification laws, creating a patchwork of conflicting

65laws that burden interstate commerce. Most of the federal bills mirror orbuild off of some variation of existing state law, but the operative questionremains: "Which concepts will Congress adopt?"

Various federal bills have been in the works for most of 2005, butbecause of divergent opinions regarding committee jurisdiction, statutorylanguage, and scope of the potential law, a consensus has not beenreached. 66 The potential ramifications of a uniform federal law have manygroups and organizations contributing their opinions to the process. Theopinions of diverse players-corporations, consumer advocacy groups,government organizations, government representatives, and stategovernments-circle around many different issues, but the main issue is thetrigger language. This section will look at the trigger language andconstruction of Senate Bill 1789, House Bill 3140, and Senate Bill 1326.67

After an analysis of those bills, the section will transition into a brief look atthe varying opinions of industry and consumer groups about a federal billand their recommendations for its potential construction.

63 S. 1789 109'h Cong. (2005); S.1408, 1 0 9 h Cong. (2005); S.1326, 1 0 9 'h Cong. (2005);

H.R. 4127, 109th Cong. (2005); S. 500, 1 0 9 th Cong. (2005); H.R. 1080, 10 9th Cong.(2005); H.R. 3997, 109'h Cong. (2005); H.R 3140, 10 9 h Cong. (2005).64 See Florence Olsen, Debate Continues on Data Privacy Bill, FEDERAL COMPUTERWEEK, Nov. 21, 2005, http://www.fcw.com/article9l5O4-11-21-05-Print (last visitedFeb. 15, 2006).65 The State PIRG, supra note 31.66 See Olsen, supra note 64.67 Any of these bills could change before final enactment, but the purpose of lookingthrough the various federal bills is to provide a general idea of what form a uniformfederal law may take and to illuminate the different effects statutory language will haveon organizations.


A. Proposed Federal Laws

1. S. 1789

Various bills have been presented in both houses of Congress, butSenate Bill 1789, the Personal Data Privacy and Security Act of 2005, isone of the most complex bills.68 Its contents have been amended andscrutinized on various occasions since its introduction on September 29,2005, by Republican Senator Arlen Specter of Pennsylvania andDemocratic Senator Patrick Leahy of Vermont,69 but the Senate JudiciaryCommittee eventually passed it on November 17, 2005.70 Senate Bill 1789requires individual customer notification as follows:

Any agency, or business entity engaged in interstatecommerce, that uses, accesses, transmits, stores, disposesof or collects sensitive personally identifiable informationshall, following the discovery of a security breach of suchinformation notify any resident of United States whosesensitive personally identifiable information has been, oris reasonably believed to have been, accessed, oracquired.

A significant safe harbor exception exists in this bill that directlydefines the scope of the bill's proposed trigger. The general trigger is areasonable belief that sensitive personally identifiable information has beenaccessed or acquired.72 The exception to this general rule is that nonotification is required if a risk assessment concludes that there is nosignificant risk that the security breach has resulted in, or will result in,harm to the individual. 3 After the discovery of the breach, an agency orbusiness must notify the Secret Service 74 of the results of the riskassessment and its decision to invoke the risk assessment exemption.75 Forthe exemption to be final, the Secret Service must not indicate, in writing,

68 Alexei Alexis, Senate Judiciary Committee Passes Chairman's Comprehensive IDTheft Bill, 4 PRIVACY & SECURITY L. REP. 1420 (Nov. 21, 2005), available athttp://pubs.bna.com/ip/BNA/PVL.NSF /85256269004a991e8525611300214487/7d02526b6e20dd84852570bd0080134a?OpenDocument (last visited Feb. 15, 2006).69 S. 1789, 109th Cong. (2005).70 id.71 S. 1789, 109th Cong. § 321(a) (2005).72 id.7, S. 1789, 109th Cong. § 322 (b)(1) (2005).74 The Secret Service does not seem to be the prime enforcing agency to perform riskassessments, but the enforcement agencies are mostly linked to the specific committeepresenting the bill.71 S. 1789, 109th Cong. § 322 (b)(2)(A)-(B) (2005).

2006]


that notice should be given.7 6 With this risk assessment exemption, the realtrigger in S. 1789 is the significant risk of harm standard, which then leads

77to the subsequent notification of the proper regulatory agency."Sensitive personally identifiable information" has been defined as

any information in electronic or digital form that includes an individual'sfirst and last name or first initial and last name in combination with any oneof the following data elements: non-truncated Social Security number,driver's license number, passport number, or alien registration number,78 orany two of the following: home address or telephone number, mother'smaiden name (if identified as such), or date of birth. 7 Other data elementsinclude unique biometric data such as fingerprints or retina images, uniquecodes, 0 identification numbers with password or access code required toobtain money or other things of value,8' and financial account numbers incombination with passwords and access codes.8 2

Notification can occur in a variety of methods. The bill permitswritten notice, telephone notice, or email notice if the individual has

83consented to receive such electronic notice . Media notice is acceptablewhere 5,000 persons in a given state or jurisdiction have had their sensitivepersonally identifiable information accessed. 4 The bill requires certaincontent requirements, such as a description of categories of information thathas been accessed, toll-free numbers of the business entity, and numbers ofcredit reporting agencies .

Senate Bill 1789 goes further in setting specifications for notifyingother entities after a breach of sensitive personally identifiable information.The bill requires an agency or business to notify, without unreasonabledelay, all consumer reporting agencies if more than one thousandindividuals' information has been compromised8 6 The United States SecretService will be the source of federal enforcement and investigation, 7 andnotification to the United States Secret Service shall be required if any oneof four situations occur: (1) the number of individuals affected exceeds10,000; (2) the security breach involves a database or system of databasescontaining the sensitive personally identifiable information of more than1,000,000 individuals nationwide; (3) the security breach involvesdatabases owned by the federal government; or (4) the security breach

76 S. 789, 109th Cong. § 322(b)(3) (2005).

7 See S. 1789, 109th Cong. § 322 (2005).78 S. 1789, 109th Cong. § 3(1 1)(A)(i)(2005).79 S. 1789, 109th Cong. § 3(1 1)(A)(ii)(2005).80 S. 1789, 109th Cong. § 3(11)(A)(iii)(2005).8' S. 1789, 109th Cong. § 3(11)(A)(iv)(2005).

2S. 1789, 109th Cong. § 3(1 1)(B) (2005).8! S. 1789, 109th Cong. § 323(1)(2005).14S. 1789, 109th Cong. § 323(2) (2005).5 See S. 1789, 109th Cong. § 324 (2005).

16S. 789, 109th Cong. § 325 (2005).

87 S. 1789, 109th Cong. § 1039(c) (2005).


involves primarily sensitive personally identifiable information ofemployees and contractors of the federal government involved in nationalsecurity or law enforcement." Senate Bill 1789 establishes generalpreemption of other federal and state laws except for the protocol requiredby the GLBA.8 9

The bill does, however, leave some content creation authority to thestates. A state may add to content requirements by requiring notice toinclude information regarding victim protection assistance provided for bythat state.90 Also, in addition to state courts, a state attorney general has theability to bring civil action in federal district court on the behalf of itsresidents. 9' The Act does not, however, create a private right of action.92

Additional provisions in the bill provide for requirements for apersonal data privacy and security program,93 a layout of civil remedies94

and guidelines for the relationship between data brokers and individuals. 95

Another notable exemption exists where a business or agency will beexempted from notification requirements when they participate in a securityprogram that is designed to block the use of the sensitive personallyidentifiable information before any charges on the individual's account can

96occur.Those who oppose or criticize the bill do so for a number of

reasons. Information technology groups like the Business SoftwareAlliance, the Information Technology Association of America ("ITAA"),and the Software & Information Industry Association claim that the "'nosignificant risk of harm' standard is 'confusing and cumbersome.' ' 97 Theinformation technology groups call for a more detailed standard thatrequires notification when there is significant risk of identity theft. SenatorSessions from Alabama was expected to introduce amendments to the billthat would change the notification standard to a "significant risk of identity

88 S. 1789, 109th Cong. § 326(a) (2005).89 S. 1789, 109th Cong. § 329(a) (2005). The exemption essentially acknowledges thatthe GLBA already has extensive notification requirements and data safeguardingprovisions.90 S. 1789, 109th Cong. § 324(b) (2005).91 S. 1789, 109th Cong. § 328(a)(1) (2005).92 S. 1789, 109th Cong. § 328(f) (2005).93 See S. 1789, 109th Cong. § 302 (2005).94See S. 1789, 109th Cong. §§ 327, 328.9' See S. 1789, 109th Cong. § 301 (2005).96 See S. 1789, 109th Cong. § 322(c)(1)(A) (2005).97 Alexei Alexis & Rachel McTague, Specter-Leahy ID Theft Measure Would HarmIndustry, Groups Say, 4 PRIVACY & SECURITY L. REP. 1294 (Oct. 24, 2005), availableat http://pubs.bna.com/ip/BNA/PVL.NSF/85256269004a991 e8525611300214487/1 c83993d340ede07852570a200000e66?OpenDocument (last visited Feb. 15, 2006).

2006]


theft" standard instead of "significant risk of harm" standard. 98 Thisamendment never materialized. 99 Sessions also stated that he worried thatSpecter's bill would preserve a patchwork of state laws instead of creating astrong uniform national standard.100 The Financial Services CoordinatingCouncil, an organization consisting of associations representing thebanking, securities, and insurance industries, also voiced concern that thebill may not be a strong uniform law. The council, in a letter to Congress inOctober 2005, stated the legislation "would put in place a duplicative andinconsistent system of federal and state regulation and enforcement thatcould have far-reaching and negative consequences for the financialservices system and our customers."10 1 Senator Leahy, a cosponsor of thebill, voiced concerns over the bill's broad preemption 102 and SenatorFeinstein, at one point, pushed to have health care data protected under thebill but relented.

10 3

2. H.R. 3140

By the end of 2005, a number of Senate and House bills were in themarkup stage or being reviewed by judiciary committees. An example of abill originating in the House is H.R. 3140.

Democratic Representative Melissa Bean of Illinois introducedH.R. 3140, the Consumer Data Security and Notification Act of 2005, onJune 30, 2005.04 The pertinent trigger language reads:

The regulations prescribed under subsection (b) shallinclude requirements for the notification of consumersfollowing the discovery of a breach of security of any datasystem maintained by the consumer reporting agency inwhich sensitive consumer information was, or is reasonablybelieved to have been, acquired by an unauthorized

105person.

98 Alexei Alexis, Senate Judiciary Republicans Seek More Time on Chairman's ID

Theft Bill, 4 PRIVACY & SECURITY L. REP. 1356 (Nov. 7, 2005), available athttp://pubs.bna.com/ip/BNA/PVL.NSF/85256269004a991 e8525611300214487/ff9091626b843810852570af00829896?OpenDocument (last visited Mar. 13, 2006).99 Id.100 Alexis, supra note 68.101 Alexis, supra note 97.102 Alexei Alexis, Senate Judiciary Begins Work on Chairman's ID Theft Measure, 4

PRIVACY & SECURITY L. REP. 1328 (Oct. 31, 2005), http://pubs.bna.com/ip/BNA/PVL.NSF/4866a14be3b6f56685256ba3004dcb8b/c180be6c0dea54e0852570a8007b7f79?OpenDocument (last visited Feb. 15, 2006).103 Alexis, supra note 98.

10' H.R. 3140, 109th Cong. (2005).105 H.R. 3140, 109th Cong. § 630(c)(1) (2005).


Notification is not required where an agency reasonably concludesthat misuse of the information is unlikely to occur, 10 6 notifies theappropriate law enforcement agency,10 7 and takes appropriate steps toremedy the situation and safeguard the individual's interests.108 Specter'sstandard of "risk of significant harm" seems more narrow than the "unlikelymisuse" standard in H.R. 3140, but how much narrower is unclear. H.R.3140 provides another level of exemption where the data that iscompromised is encrypted.1° 9 If the personal data is encrypted then anagency is permitted to reasonably conclude misuse is unlikely to occur. 0It is not stated whether state attorneys general will be permitted to fileactions on behalf of their citizens, or if the regulatory enforcement agencywill be the sole entity allowed to bring civil suits. 11

3. S. 1326

Introduced on June 28, 2005, by Republican Jeff Sessions,' 1 2

Senate Bill 1326 takes a different stance on the development of a federalnotification standard compared to Specter's bill. The pertinent notificationlanguage reads:

If an agency or person that owns or licenses computerizeddata containing sensitive personal information, determines,after discovery and reasonable investigation . . . that asignificant risk of identity theft exists as a result of a breachof security of the system of such agency or personcontaining such data, the agency or person shall notify anyindividual whose sensitive personal information wascompromised if such individual is known to be a resident ofthe United States.'

1 3

Senator Session's bill calls for notification when there is asignificant risk of identity theft, which is much narrower language than S.1789's significant risk of harm language. "Identity theft" is defined as"fraud committed using the identification of another person with the intentto commit, or to aid or abet any unlawful activity that constitutes a violationof Federal law, or that constitutes a felony under any applicable State or

106 H.R. 3140, 109th Cong. § 630(c)(2)(A)(i) (2005).07 H.R. 3140, 109th Cong. § 630(c)(2)(A)(ii) (2005).

10' H.R. 3140, 109th Cong. § 630(c)(2)(A)(iii) (2005).

'09 See H.R 3140, 109th Cong. § 630(c)(3)(A) (2005).110 Id.

111 See H.R. 3140, 109th Cong. (2005).112 S. 1326, 109th Cong. (2005)...3 S. 1326, 109th Cong. § 3(b)(1)(A) (2005).

2006]


local law and that results in economic loss to the individual., 11 4 It isunclear, however, how much more narrow of a standard S. 1326's languagepresents. While S. 1326's definition of identity theft is directly affiliatedwith fraud and unlawful activity, S. 1789's notification standard ofsignificant risk of harm standard, until paired down or later defined by theUnited States Secret Service, seems to encompass more than just fraud andunlawful activity. In practice, the narrower identity theft language of S.1326 would allow agencies or businesses to notify fewer individuals thanrequired by Senator Specter's bill.' 15

Additional notification requirements are conspicuously absent inthis version of Senator Session's bill.1 1 6 Senate Bill 1789 requirednotification to the enforcing body, the United States Secret Service, afterthe intention of using that bill's significant harm exemption, but S. 1326does not possess such a notification requirement and only goes as far asrequiring a notification to consumer reporting agencies when 1,000 or moreindividuals need to be notified. 17

Senate Bill 1326 is a less complex bill than its Senate counterpart,S. 1789, and its preemption section does not stray from that trend. Blanketpreemption of state law would occur under S. 1326,118 and once thedepartment of justice files an action, a state attorney general may not bringan action for any violation of the Act alleged in the complaint.11 9

B. Industry and Consumer Response to Federal Bills

The mishmash of state law and federal bills has not gone unnoticedby industry and consumer groups that have scrutinized the state laws andfederal bills at every junction of their evolution. Groups generally fall intoone of three categories of thought: a federal bill is unnecessary becausestate law is adequate, a broad federal law which completely preempts statelaw is favored, or a more narrow federal law is needed that preemptsstronger state law, but eliminates redundancy and over-notification.

The first tier of debate revolves around the very existence of auniform federal law. Edmund Mierzwinski, program director at the USPublic Interest Research Group ("PIRG"), made clear in his testimony

114 S. 1326, 109th Cong. § 2(6) (2005).15 An organization may not have to notify as many affected individuals, but best

business practices will likely compel businesses to go beyond what the law provides asa minimum notification threshold. This does not nullify the entire debate over triggerlanguage because the significant risk of harm language may be so vague that it requiresnotification when a business would deem it necessary or beneficial to notify customers.Compare S. 1326, 109th Cong. § 3(b)(1)(A) (2005), iith S. 1789, 109th Cong. (2005).

See S. 1326, 109 Cong. (2005).117 S. 1326, 109th Cong. § 3(b)(6) (2005).

S. 1326, 109th Cong. § 5 (2005).''9 S. 1326, 109th Cong. § 4(a)(2)(D)(i) (2005).


before a committee in Congress that many consumer group organizationsfeel that state responses have been adequate, and they fear a federalresponse could further restrain state responses. 12 Consumer groups feelthat disregarding states' efforts would be detrimental to consumers becauseit ignores the valuable input and laboratorial study that states provide in theprocess of creating public policy. 1 21 The PIRG points out that even beforethe numerous state laws, attorneys general forced compliance underCalifornia law, which essentially served as a de-facto standard. 22

California law provides for notification when there is a reasonable belief anunauthorized acquisition has occurred.1 23 Many states have fashioned theirtrigger language after California's reasonable belief standard, whichprompts notification with simple acquisition and does not ask for theadditional significant risk factors which Senator Specter's bill and Session'sbill require. Those bills seemingly narrow the instances when an agency orbusiness will be required to notify individuals, but California's reasonablebelief standard may not regulate non-California agencies or businesseschoosing a piecemeal notification strategy, complying with the bareminimum of each individual state law. This approach would be unwise butis hypothetically viable if the status quo is upheld.

Those who favor a uniform federal law to govern notification, likeIra Hammerman, Senior Vice President and General Counsel of theSecurities Industry Association, believe the "expanding patchwork of state- and local - laws affecting data security and notice will make effectivecompliance very difficult for us and equally confusing for consumers.1 24

Kirk Herath, Chief Privacy Officer at Nationwide Mutual Insurance Co.,favors a federal uniform standard because, besides the various state triggers,notification content requirements differ from state to state and not all statesprovide safe harbor provisions exempting companies that encrypt data.125

He also finds a central regulatory authority enforcing a single law a muchbetter alternative than state attorneys general enforcing their own state lawsbecause it is difficult to operate in interstate commerce with a patchwork

120 Oversight Hearing on Data Security, Data Breach Notices, Privacy and IdentityTheft Before the Committee on Banking, Housing and Urban Affairs, 109th Cong. 2(2005), available at http://banking.senate.gov/ files/ACFDC9B.pdf (statement ofEdmund Mierzwinski, U.S. PIRG).121 id122 See id123 CAL. CIVIL CODE § 1798.29(a) (Deering 2005).124 Examining the Financial Service Industry's Responsibility to Prevent Identity Theft

and Protect Sensitive Consumer Financial Information Before the Committee onBanking, Housing and Urban Affairs, 10 9 th Cong. 1 (2005), available athttp://banking.senate.gov/ files/hammerman.pdf (statement of Ira Hammerman,Securities Industry Association).125 Jaikumar Vijayan, Three More States Add Lavs on Data Breaches,COMPUTERWORLD, Jan. 6, 2006, http://www.computerworld.com/databasetopics/data/story/0,10801,107530,00.html (last visited Feb. 15, 2006).

2006]


quilt of conflicting laws. 126 Microsoft Senior Vice President and GeneralCounsel, Brad Smith, also favors federal legislation and sees an enactmentof a comprehensive federal law as one step closer to a harmonization of theU.S. and international privacy approaches.127 Smith advised that commerceis growing increasingly global, and Microsoft and other multi-nationalcompanies want to provide a safe level of privacy and data protection tointernational customers.

128

A federal bill is likely to pass regardless of consumer groupopposition, so the battle moves to the actual construction of the futurefederal law. Public interest groups like PIRG have recommended that if afederal law was to be enacted, it should cover computerized and paper data,disallow encryption exemptions, provide for free credit reports, andnotification should be triggered by unauthorized acquisition rather thanreasonable or significant risk of harm or identify theft. 129 This option wouldessentially enact the California standard as the official federal standard andcall for a broad trigger to notification. Currently, no federal bill has such abroad trigger. 13 Senator Specter's original bill, S. 1332, which wasintroduced in June 2005, proposed that notification be required after anybreach that "impacts sensitive personally identifiable information."'13' Thisstandard did not survive, and S. 1332 was eventually replaced by S. 1789,which narrowed the notification trigger by adding the significant risk ofharm language. A letter to Congress by more than 40 state attorneysgeneral stated that a federal bill should not preempt state law or ignoreCalifornia's defacto standard, but as a compromise, the significant risk ofharm language would be acceptable if additional notification to lawenforcement was required. 32

Whether a broad trigger takes the form of California's "reasonablebelief of acquisition" standard or Senator Specter's "significant risk ofharm" standard, consumer groups are pushing for a sufficiently broadtrigger to ensure prompt notification to individuals who have had their most

126 Id.127 Microsoft PressPass for Journalists, Microsoft Addresses Need for Comprehensive

Federal Data Privacy Legislation,http://www.microsoft.com/presspass/features/2005/nov05/11-03Privacy.mspx (lastvisited Feb. 15, 2006).128 id.

129 Mierzwinski, supra note 120, at 8-10.130 Specter's bill's trigger language is broader than a risk of identity theft, but appears to

be more vague than broad when compared to California's law. California's law hasdefined its trigger language, but it is still uncertain what exactly Specter's significantrisk of harm standard actually encompasses."' S. 1332, 109th Cong. § 421(a) (2005).132 Alexei Alexis, State AGs Urge Congress to Establish Broad Data BreachNotification Standards, 4 PRIVACY & SECURITY L. REP. 1357 (Nov. 7, 2005) availableat http://pubs.bna.com/ip/BNA/PVL.NSF/85256269004a991 e8525611300214487/ab8a6d28cfd12309852570af00829898?OpenDocument (last visited Feb. 15, 2006).

BREACH NOTIFICA TION LA WS

sensitive personal information compromised. Consumer groups in favor ofa broad trigger and stringent reporting requirements, coupled with strongand uniform enforcement, believe a weak federal bill with a narrow triggerwould be unable to help individuals combat identity theft and other fraudpertaining to compromised personal information. 133 They dislike triggerlanguage that narrows notification to occurrences where there is areasonable belief of a significant risk of identity theft because they believethe standard would allow companies to notify only certain selectindividuals, leaving others at risk. 134 In a letter to House committees, foursignificant consumer privacy groups 135 voiced concern that a trigger-specifically H.R. 4127's standard-tied to a risk of identity theft standardwould not be effective because identity thieves wait a few months beforestriking.1 36 Therefore, immediate evaluation of risk of identity theft after asecurity breach may not be feasible.1 37 Consumer groups also raiseconcerns that identity theft is not the only crime or harm that can beperpetuated with personal information-stalking and domestic violencebeing examples that fall outside reporting requirements-but if identitytheft is not reasonably foreseen, then no notification will occur.131

Not everyone opposes a narrow bill, and many see a broad bill ascumbersome. Representative Cliff Stearns voiced a fear that "a broadernotification standard would drive up costs for businesses and inundateconsumers with meaningless warnings". 139 The Security IndustryAssociation stated that a broad trigger like California's standard leads toover-notification, and companies will run the risk of unnecessarilyconfusing and frightening consumers, and, possibly, desensitizing ornumbing consumers to future notifications. 140 The ITAA provides that amore narrow federal law based on the risk of identity theft clearlyarticulates when notification is required and will help companies distinguishbetween security breaches that pose legitimate threats and those that donot.

14 1

133 See Letter from US PIRG, Privacy Right Clearinghouse, Electronic Privacy Rights

Center, and Consumers Union to Subcommittee on Commerce, Trade, and ConsumerProtection and Committee on Energy and Commerce (Nov. 2, 2005), available athttp://www.uspirg.org/consumer/archives/41271trfinal.pdf (last visited Feb. 15, 2006).134 See id135 US PIRG, Privacy Right Clearinghouse, Electronic Privacy Rights Center, andConsumers Union.136 Letter, supra note 133.37 Letter, supra note 133.

138 Id.

39 Grant Gross, Data Breach Bills Unlikely to Pass Before 2006, INFOWORLD, Nov. 21,2005, http://www.infoworld.com/article/05/1111 I/HNdatabreachbill 1.html (lastvisited Apr. 6, 2006).140 Hammerman, supra note 124, at 8-9.141 Alexis, supra note 102.

2006]


At this point, the makeup of a federal law is uncertain. Congresshas and will continue to maneuver trigger language, additional notificationrequirements, content requirements, and preemption policies to strike abalance, but regardless of what Congress does, businesses, especiallysmaller startup businesses, should be prepared to comply with the finalfederal product or current state laws.

V. BUSINESS ISSUES FOR ENTREPRENEURS TO CONSIDER

When entrepreneurs start businesses, they should be looking atmore than just executing brilliant business plans, aggressive marketing, andsound financial planning; they also need to be developing cost-effectivedata safeguarding and privacy compliance schemes. The temptation tooverlook the importance of legal compliance always exists, but in the caseof breach notification laws, data safeguarding requirements, and otherprivacy laws, an oversight can lead to even more disastrous effects to smallstartup business that have little room for customer dissatisfaction anddefection. Because identity theft has for six years been the number oneconsumer complaint to the Federal Trade Commission, 42 it is noteconomical for any business to ignore issues of data security or breachnotification. Knowing this reality, a startup business needs to react tobreach notification and data safeguard laws with great care and deference,but the costs associated with compliance can be expensive and timely. Abalance can occur, and new business ventures should look to largercorporations for examples on how to protect data and assist customers.Implementing procedures that large corporations have adopted may be toocostly, so an efficient process needs to be created. Even though the statusand structure of a uniform federal law is unknown, a business can still makethe proper steps to position itself for absolute compliance and moreimportantly, customer satisfaction. Notification is a result of misfortune orfailure, so it is appropriate to begin with ideas of how startup businesses canprotect themselves. But once they are protected they must also determinewhat the best course of action is when something does go wrong and thelaw requires them to notify individuals of a breach.

142 See Federal Trade Commission, Consumer Fraud and Identity Theft ComplaintData, 5 (Jan. 25, 2006), available at http://www.consumer.gov/sentinel/pubs/ToplOFraud2005.pdf (last visited Feb. 15, 2006).


A. Data Security143

Financial services companies have created security programs tocomply with data safeguarding provisions of federal laws like GLBA, 44

and other corporations have been keen to bolster their security programs toavoid actions from state attorneys general and the FTC under unfair anddeceptive trade practices statutes.1 45 Data security ideas exist, andcompanies like Microsoft, Inc. have suggested a few practical ways toprepare for a security breach.1 6 They stress encryption, development of adisaster plan, storage of only absolutely necessary information, anddiscontinuing the use of Social Security numbers.1 47 Oracle, Inc., inresponse to California's standards, suggested similar tips for compliance,and they added some additional ways to bolster one's data securityprogram. Businesses should not store credit card numbers in their entirety,implement security related training programs for employees, make use ofcryptographic hashes, manage user authorization centrally, and make use ofother advanced technological safeguards. 148 These suggestions may looksimple and appealing to startup businesses, but one must assess theireffectiveness in a smaller business environment, specifically theeffectiveness of encryption, the discontinued use of personal information,and the use of GLBA standards as a template for compliance.

1. Encryption

California's SB 1386 provides businesses a safe harbor: one doesnot have to notify individuals if the private information accessed isencrypted. 149 It is unknown whether a federal law will have an encryptionsafe harbor, but as Microsoft suggests, encryption is a strong way to protectdata. According to Eric Ouellet, Vice President of Research and Privacy atGartner in Connecticut, many companies have already started to model their

143 Up to this point, most of the discussion has been about breach notification laws. A

slight divergence into data security is necessary to continue the breach notificationdiscussion because businesses are better off not having to avoid any individual underany law by protecting their duty and implementing sound business practices to ensuresecurity.144 See Janger, supra note 4.145 See Press Release, Federal Trade Commission, supra note 17; Press Release, See

also Off. of N.Y. St. Att'y Gen. Off. Eliot Spitzer, supra note 17.146 See Mircosoft Technet, Legal Briefs: Breach Notification Laws,

http://www.microsoft.com/technet/technetmag/issues/2006/ /LegalBriefs/default.aspx(last visited Feb. 15, 2006).147 id.148 Oracle Product Stack, Best Practices for California SB 1386, http://www.oracle.com/technology/deploy/security/db security/pdforacle sb 1386.pdf (last visited Feb. 15,2006).149 CAL. CIVIL CODE § 1798.29(a) (Deering 2005).

2006]


own best practices in the spirit of breach notification laws, and this includesembracing encryption and other protective schemes. 50 Unfortunately,high-end encryption technology is costly 151 and there is a debate over whichapplications and technologies are the most effective. 152 The encryptionprocess is not only potentially expensive, high end encryption can becomplex and lengthy, 153 and unless a business plans to encrypt data onceand let it sit idle, a business will have to go through the process of

154accurately decrypting, re-encrypting, and storing the data for future use.A number of other drawbacks exist with the encryption technology:potential slowed performance of computer systems, difficulty managingkeys to encrypt and decrypt data, insiders still have access to keys, andincreased difficulty managing and searching data once encrypted. 55

Encryption is a viable way to protect sensitive data, but a startup businessshould evaluate what options are most practical and relevant to its needs.Blanket encryption may be too costly and create unneeded complexity.1 56

Technology is always changing, and the risk of technology becomingoutdated or ineffective will always exist because each business is different,and the assessment of which data should be encrypted with whichtechnology will need to be done on an ad hoc basis, considering protection,cost, and manageability.

2. Discontinue Use of Some Personal Information

The idea of storing and using the least amount of personalinformation possible is an economical approach and will help lower costsand minimize the amount of potentially exposed data. The idea ofdiscontinuing the use of Social Security numbers is a logical suggestion, butif business practice involves accessing credit reports and other sensitivedocuments, it would be cumbersome, if not impossible, to use accountnumbers in place of Social Security numbers. Storing more informationthan what is needed to conduct business should be discouraged, but eachbusiness' requirements are different and it may be difficult to discontinue

50 Lauren Bielski, Operation Lockdown?, ABA BANKING J., February 2006, at 62,

available at http://www.allbusiness.com/periodicals/article/867452-1.html.151 Henry Baltazar, Secure Storage Tops Labs' New Year's Wish List, EWEEK.COM, Jan.16, 2006, http://www.eweek.com/article2/0,1895,1909603,00.asp(last visited Feb. 15,2006).152 Bielski, supra note 150.153 Baltazar, supra note 151.154 Interview with Kirk Herath, Chief Privacy Officer, Nationwide Mut. Ins. Co., inColumbus, OH. (Feb. 10, 2006).155 George V. Hulme, Data Lockdown, INFORMATIONWEEK, Apr. 19, 2004,http://www.informationweek.com/showArticle.jhtml?articleID- 18901717 (last visitedFeb. 15, 2006).156 Microsoft and Oracle suggest the use of encryption, but they are also the entities thatsell encryption technology.


the gathering and storing of Social Security numbers, credit card numbers,and other sensitive information.

3. GLBA and Other Safeguarding Standards

Federal and state agencies have provided a plethora of best practicesuggestions for businesses that need to comply with GLBA safeguardingstandards and other state safeguarding regulation. For example, theInteragency Compliance Guidelines are a compilation of § 501(b) of theGLBA and § 216 of the Fair and Accurate Credit Transaction Act of 2003,and these guidelines were created to "establish standards relating toadministrative, technical, and physical safeguards to ensure the security,confidentiality, integrity and the proper disposal of customerinformation."' 57 Benjamin Wright, a Dallas-based data security attorney,advises that the guidelines can be "a good reference for all businesses."' 58

The guidelines recommend that a security program should be designed tosuit the size and complexity of the business and the nature and scope of itsactivities. 159 Companies should identify reasonable internal and externalthreats to personal data, quantify the sensitivity of the data and ensureprotection accordingly, continuously monitor computerized and paperinformation, ensure proper record disposal, train staff, and test key controlsand computerized components.

60

B. Approaches to Notification

Even if data is properly safeguarded, accidents happen. 16 1 Datasecurity and employee protocol can do nothing to save a business' datawhen an employee loses a laptop, potentially exposing the sensitivepersonal information of thousands of customers. It would be unwise for abusiness, especially a new business with a smaller clientele, to hastily notifyall customers if a breach occurs. A checklist created by Kirk J. Nahraprovides for practical and helpful questions to think about after a securitybreach.162 He suggests such questions as, "[D]o I have to notify anyone? If

157 Federal Reserve Board, supra note 5, at 2-3.158 Donald G. Aplin, Lawyer Says Recent GLB Guidance Is Good Reference for All

Businesses, 5 PRIVACY & SECURITY L. REP. 57 (Jan. 16, 2006), available athttp://pubs.bna.com/ip/BNA/PVL.NSF/85256269004a991 e8525611300214487/14c9a43250807e28852570f400831745?OpenDocument (last visited Feb. 15, 2006).159 Federal Reserve Board, supra note 5, at 5.160 Id. at 5-7, 12.161 Many of the data breaches in 2005 were not associated with data hackers, but with

lost laptops and lost backup tapes. The Privacy Rights Clearinghouse, supra note 6.162 Kirk J. Nahra, A 2006 Privacy and Security Compliance Checklist, 5 PRIVACY &

SECURITY L. REP. 144, (Jan. 30 2006), available at http://pubs.bna.com/ip/BNA/PVL.NSF/85256269004a991 e8525611300214487/8d7dfeee2993b9538525710400080272?OpenDocument (last visited Mar. 1, 2006).

2006]


so, whom must I notify and through what means? If I don't 'have to'notify, should I notify anyway? Is there anyone else I need to notify(clients, regulators, etc.)?"163

California's law essentially governs until another state provides abroader trigger or a federal law preempts state law, but even in the midst ofuncertainty, businesses should take a general mind frame that if a securitybreach occurs, the business will do its personal best to "make things right."This "make things right" attitude could entail offering free one year creditmonitoring, toll-free numbers for assistance, and other services to theircustomers when their personal information has been compromised. 164 It isin the business' best interest to minimize damages to avoid further lawsuitsand complications. Most corporations have adopted these services as bestpractices 165 and it would be prudent for startup businesses to adopt similarpractices.

The physical and financial cost of notification can be a significantburden to a business, but if done efficiently and professionally, notificationcan become an opportunity for businesses to distinguish themselves withtheir customer service. A business should review their notification contentto make sure the message is clear and relevant, making sure the customerfeels confident that the responsibility of monitoring and burden of clearingup any issues will fall on the business and not the customer. Multiplemethods of notification should be deployed if deemed necessary to putcustomers on notice. Companies, of course, need not risk frighteningconsumers by flooding them with too much information. Also, over-notification could lead consumers to become desensitized to future

166occurrences.

Businesses should inform individuals that identity theft is only oneof many kinds of fraud people can commit with sensitive information.Individuals may not truly grasp the nuances of identity theft, and therealization that those who steal identities are looking for more than anopportunity to buy a few computers online but are hoping for long-termfraud.1 67 Customers will appreciate the additional warning, and the warningmay go as far as assisting in stopping future harm. There is a balancebetween frightening and servicing, and each business will need to makeindividual determinations along the way to find what is best for theirbusiness.

163 id.164 Interview with Kirk Herath, Chief Privacy Officer, Nationwide Mut. Ins. Co., in

Columbus, OH. (Feb. 10, 2006).165 Id.166 See Hammerman, supra note 124, at 9.167 Interview with Kirk Herath, Chief Privacy Officer, Nationwide Mut. Ins. Co., in

Columbus, OH. (Feb. 10, 2006).


VI. CONCLUSION

When entrepreneurs think about engaging in a new businessventure, they may be tempted to craft their business plan and leave issues ofprivacy compliance as an afterthought. Entrepreneurs have limited abilityto voice their opinions on how breach notification laws are managed orcreated, but if they did, they may ask for narrow notification triggers andlimited reporting requirements-whatever balance allows for the mostconsumer protection at minimal cost. Breach notification laws should beclear so that business can be efficiently conducted, but consumer protectionand confidence needs to be weighed. Triggers with a broad quantifyingagent-whether it be "significant risk of harm", "misuse" or somederivation-will provide clarity for businesses but protect consumers frommore than just identity theft. Reasonable reporting to credit reportingagencies and enforcement agencies should be required and civil actionsshould be limited to state attorneys general, but those who are planning abusiness do not have to wait for the law to settle. They can begin toinvestigate current data safeguarding and notification policies, but moreimportantly, they can begin to plan. If data safeguarding schemes andnotification protocols can be addressed in the early formation stages of abusiness, then entrepreneurs will be able to save money and ward off futureheadaches.

Entrepreneurs should implement privacy and safeguardingcompliance strategies into their business plans so they can comply with thelaw, but implementation of these legal issues does more than helpbusinesses avoid fines and lawsuits. Implementation allows businesses torespect consumers' privacy expectations and create opportunities to be costeffective.

2006]

breach notification laws: notification requirements and data safeguarding … · 2016-09-20 ·...

Documents